Security

Effective 2026-05-23 · DUEX (duex.app) · Toronto, Canada

DUEX is in an early private-pilot phase. This page describes the current data, access, and operational security posture for pilot conversations.

DUEX is not yet SOC 2, ISO 27001, or HIPAA attested. Customers requiring those attestations should confirm requirements with [email protected] before submitting pilot data.

Data handling

Customer pilot data is used only to provide the service and produce decision records.
Customer data is not used to train public models.
Provider retention and abuse-monitoring behavior depends on the provider and contracted configuration used for the pilot; applicable providers should be confirmed before pilot data is submitted.
Pilot data is minimized to what is needed for the agreed pilot scope and deleted on request within 30 days unless retention is required for security, legal, or billing records.

Access

Operator access to customer data is limited to authorized DUEX personnel, currently restricted to the founder.
Slack scopes requested for pilot integrations are limited to what the pilot workflow actually needs.
Production secrets are stored, or will be stored before customer pilot use, in managed environment variables rather than source control.

Transport & storage

Public site traffic is served over HTTPS. Pilot service traffic between Slack, DUEX, and selected providers is designed to use HTTPS/TLS before customer data is processed.
Web hosting and DNS are managed by Cloudflare.
Pilot data storage will be confirmed before each pilot; when database storage is used, access is limited to authorized operators.

Authentication

For the planned Slack-native pilot, DUEX will use Slack's standard OAuth flow.
Customer-side single sign-on (SAML / OIDC), custom retention policy, custom data residency, and dedicated deployment are part of the enterprise-pilot conversation, not part of the default early-pilot setup.

Incident handling

If we detect a security incident that affects your data, we will notify the named pilot contact without unreasonable delay and aim to provide an initial notice within 72 hours after confirming the incident.
We log operational events to support incident review.

Reporting an issue

If you believe you have found a security issue in DUEX, email [email protected] with affected URLs, steps to reproduce, and impact. Do not include third-party personal data or customer deal data in the initial report. We aim to acknowledge security reports within two business days.

Changes

This page evolves with the product. The effective date above reflects the most recent revision.